Is This You?

Security person, is this you?

The pressure on the risk department to keep up and approve transactions was immense... In their [traders and bankers] eyes, we were not earning money for the bank. Worse, we had the power to say no and therefore prevent business from being done. Traders saw us as obstructive and a hindrance to their ability to earn higher bonuses. They did not take kindly to this. Sometimes the relationship between the risk department and the business lines ended in arguments. I often had calls from my own risk managers forewarning me that a senior trader was about to call me to complain about a declined transaction. Most of the time the business line would simply not take no for an answer, especially if the profits were big enough. We, of course, were suspicious, because bigger margins usually meant higher risk.

Criticisms that we were being “non-commercial”, “unconstructive” and “obstinate” were not uncommon. It has to be said that the risk department did not always help its cause. Our risk managers, although they had strong analytical skills, were not necessarily good communicators and salesmen. Tactfully explaining why we said no was not our forte. Traders were often exasperated as much by how they were told as by what they were told.

At the root of it all, however, was — and still is — a deeply ingrained flaw in the decision-making process. In contrast to the law, where two sides make an equal-and-opposite argument that is fairly judged, in banks there is always a bias towards one side of the argument. The business line was more focused on getting a transaction approved than on identifying the risks in what it was proposing. The risk factors were a small part of the presentation and always “mitigated”. This made it hard to discourage transactions. If a risk manager said no, he was immediately on a collision course with the business line. The risk thinking therefore leaned towards giving the benefit of the doubt to the risk-takers.

Collective common sense suffered as a result. Often in meetings, our gut reactions as risk managers were negative. But it was difficult to come up with hard-and-fast arguments for why you should decline a transaction, especially when you were sitting opposite a team that had worked for weeks on a proposal, which you had received an hour before the meeting started. In the end, with pressure for earnings and a calm market environment, we reluctantly agreed to marginal transactions.

This excerpt is from the 9 Aug 08 Economist story A personal view of the crisis: Confessions of a risk manager .


Unknown said…
Risk aside, that happens often, and might be one of those things that afflicts everyone in security from CISO all the way down to the SOC/NOC analyst or desktop support dudes. Don't get in the way, don't obstruct business...

Of course, continuous butting of heads like this certainly eats away at the enthusiasm of those people to be good communicators or salesmen. Once the road begins, it's a downward spiral of bad risk decisions and unhappy/unsuccessful employees.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4